Add gcp sql rules for insecure ssl_mode (#3540) (#3553)

* Add gcp sql rules for insecure ssl_mode

* clean up message and references

---------

Co-authored-by: Pieter De Cremer (Semgrep) <pieter@r2c.dev>
Co-authored-by: Lewis <LewisArdern@live.co.uk>

Author: 3 people

terraform/gcp/security/gcp-sql-database-require-ssl.yaml

@@ -39,7 +39,8 @@ rules:
     - terraform
     - gcp
     references:
-    - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+    - "https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration"
+    - "https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
     subcategory:
     - vuln
     likelihood: LOW

terraform/gcp/security/gcp-sql-database-ssl-insecure-value-postgres-mysql.fixed.tf

@@ -0,0 +1,138 @@
+# ok: gcp-sql-database-ssl-insecure-value-postgres-mysql
+resource "google_sql_database_instance" "fail" {
+  database_version = "MYSQL_8_0"
+  name             = "instance"
+  region           = "us-central1"
+  settings {
+    tier = "db-f1-micro"
+  }
+}
+
+# ok: gcp-sql-database-ssl-insecure-value-postgres-mysql
+resource "google_sql_database_instance" "success" {
+  database_version = "MYSQL_8_0"
+  name             = "instance"
+  region           = "us-central1"
+  ip_configuration {
+      ipv4_enabled = true
+      require_ssl = true
+  }
+}
+
+resource "google_sql_database_instance" "main" {
+  name      = "some-example-name"
+  database_version  = "POSTGRES_15"
+  region      = "europe-west3"
+  settings {
+    tier = "db-f1-micro"
+    ip_configuration {
+      # ok: gcp-sql-database-ssl-insecure-value-postgres-mysql
+      ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
+    }
+  }
+}
+
+resource "google_sql_database_instance" "main" {
+  name      = "some-example-name"
+  database_version  = "POSTGRES_15"
+  region      = "europe-west3"
+  settings {
+    tier = "db-f1-micro"
+    ip_configuration {
+      # ok: gcp-sql-database-ssl-insecure-value-postgres-mysql
+      ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
+    }
+  }
+}
+
+resource "google_sql_database_instance" "main" {
+  name      = "some-example-name"
+  database_version  = "POSTGRES_15"
+  region      = "europe-west3"
+  settings {
+    tier = "db-f1-micro"
+    ip_configuration {
+      # ruleid: gcp-sql-database-ssl-insecure-value-postgres-mysql
+      ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
+    }
+  }
+}
+
+resource "google_sql_database_instance" "main" {
+  name      = "some-example-name"
+  database_version  = "POSTGRES_15"
+  region      = "europe-west3"
+  settings {
+    tier = "db-f1-micro"
+    ip_configuration {
+      # ruleid: gcp-sql-database-ssl-insecure-value-postgres-mysql
+      ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
+    }
+  }
+}
+
+resource "google_sql_database_instance" "mysql_fail" {
+  database_version = "MYSQL_8_0"
+  name             = "mysql-instance"
+  region           = "us-central1"
+  settings {
+    tier = "db-f1-micro"
+    ip_configuration {
+      # ruleid: gcp-sql-database-ssl-insecure-value-postgres-mysql
+      ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
+    }
+  }
+}
+
+resource "google_sql_database_instance" "mysql_success" {
+  database_version = "MYSQL_8_0"
+  name             = "mysql-instance"
+  region           = "us-central1"
+  settings {
+    tier = "db-f1-micro"
+    ip_configuration {
+      # ruleid: gcp-sql-database-ssl-insecure-value-postgres-mysql
+      ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
+    }
+  }
+}
+
+resource "google_sql_database_instance" "sqlserver_fail" {
+  database_version = "SQLSERVER_2019_STANDARD"
+  name             = "sqlserver-instance"
+  region           = "us-central1"
+  settings {
+    tier = "db-f1-micro"
+    ip_configuration {
+      # ok: gcp-sql-database-ssl-insecure-value-postgres-mysql
+      ssl_mode = "ALLOW_UNENCRYPTED_AND_ENCRYPTED"
+    }
+  }
+}
+
+resource "google_sql_database_instance" "sqlserver_success" {
+  database_version = "SQLSERVER_2019_STANDARD"
+  name             = "sqlserver-instance"
+  region           = "us-central1"
+  settings {
+    tier = "db-f1-micro"
+    ip_configuration {
+      # ok: gcp-sql-database-ssl-insecure-value-postgres-mysql
+      ssl_mode = "ENCRYPTED_ONLY"
+    }
+  }
+}
+
+resource "google_sql_database_instance" "mysql_success_with_ssl_mode" {
+  database_version = "MYSQL_8_0"
+  name             = "mysql-instance"
+  region           = "us-central1"
+  settings {
+    tier = "db-f1-micro"
+    ip_configuration {
+      # ok: gcp-sql-database-ssl-insecure-value-postgres-mysql
+      ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
+    }
+  }
+}
+

terraform/gcp/security/gcp-sql-database-ssl-insecure-value-postgres-mysql.tf

@@ -0,0 +1,138 @@
+# ok: gcp-sql-database-ssl-insecure-value-postgres-mysql
+resource "google_sql_database_instance" "fail" {
+  database_version = "MYSQL_8_0"
+  name             = "instance"
+  region           = "us-central1"
+  settings {
+    tier = "db-f1-micro"
+  }
+}
+
+# ok: gcp-sql-database-ssl-insecure-value-postgres-mysql
+resource "google_sql_database_instance" "success" {
+  database_version = "MYSQL_8_0"
+  name             = "instance"
+  region           = "us-central1"
+  ip_configuration {
+      ipv4_enabled = true
+      require_ssl = true
+  }
+}
+
+resource "google_sql_database_instance" "main" {
+  name      = "some-example-name"
+  database_version  = "POSTGRES_15"
+  region      = "europe-west3"
+  settings {
+    tier = "db-f1-micro"
+    ip_configuration {
+      # ok: gcp-sql-database-ssl-insecure-value-postgres-mysql
+      ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
+    }
+  }
+}
+
+resource "google_sql_database_instance" "main" {
+  name      = "some-example-name"
+  database_version  = "POSTGRES_15"
+  region      = "europe-west3"
+  settings {
+    tier = "db-f1-micro"
+    ip_configuration {
+      # ok: gcp-sql-database-ssl-insecure-value-postgres-mysql
+      ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
+    }
+  }
+}
+
+resource "google_sql_database_instance" "main" {
+  name      = "some-example-name"
+  database_version  = "POSTGRES_15"
+  region      = "europe-west3"
+  settings {
+    tier = "db-f1-micro"
+    ip_configuration {
+      # ruleid: gcp-sql-database-ssl-insecure-value-postgres-mysql
+      ssl_mode = "ENCRYPTED_ONLY"
+    }
+  }
+}
+
+resource "google_sql_database_instance" "main" {
+  name      = "some-example-name"
+  database_version  = "POSTGRES_15"
+  region      = "europe-west3"
+  settings {
+    tier = "db-f1-micro"
+    ip_configuration {
+      # ruleid: gcp-sql-database-ssl-insecure-value-postgres-mysql
+      ssl_mode = "ALLOW_UNENCRYPTED_AND_ENCRYPTED"
+    }
+  }
+}
+
+resource "google_sql_database_instance" "mysql_fail" {
+  database_version = "MYSQL_8_0"
+  name             = "mysql-instance"
+  region           = "us-central1"
+  settings {
+    tier = "db-f1-micro"
+    ip_configuration {
+      # ruleid: gcp-sql-database-ssl-insecure-value-postgres-mysql
+      ssl_mode = "ENCRYPTED_ONLY"
+    }
+  }
+}
+
+resource "google_sql_database_instance" "mysql_success" {
+  database_version = "MYSQL_8_0"
+  name             = "mysql-instance"
+  region           = "us-central1"
+  settings {
+    tier = "db-f1-micro"
+    ip_configuration {
+      # ruleid: gcp-sql-database-ssl-insecure-value-postgres-mysql
+      ssl_mode = "ENCRYPTED_ONLY"
+    }
+  }
+}
+
+resource "google_sql_database_instance" "sqlserver_fail" {
+  database_version = "SQLSERVER_2019_STANDARD"
+  name             = "sqlserver-instance"
+  region           = "us-central1"
+  settings {
+    tier = "db-f1-micro"
+    ip_configuration {
+      # ok: gcp-sql-database-ssl-insecure-value-postgres-mysql
+      ssl_mode = "ALLOW_UNENCRYPTED_AND_ENCRYPTED"
+    }
+  }
+}
+
+resource "google_sql_database_instance" "sqlserver_success" {
+  database_version = "SQLSERVER_2019_STANDARD"
+  name             = "sqlserver-instance"
+  region           = "us-central1"
+  settings {
+    tier = "db-f1-micro"
+    ip_configuration {
+      # ok: gcp-sql-database-ssl-insecure-value-postgres-mysql
+      ssl_mode = "ENCRYPTED_ONLY"
+    }
+  }
+}
+
+resource "google_sql_database_instance" "mysql_success_with_ssl_mode" {
+  database_version = "MYSQL_8_0"
+  name             = "mysql-instance"
+  region           = "us-central1"
+  settings {
+    tier = "db-f1-micro"
+    ip_configuration {
+      # ok: gcp-sql-database-ssl-insecure-value-postgres-mysql
+      ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
+    }
+  }
+}
+

terraform/gcp/security/gcp-sql-database-ssl-insecure-value-postgres-mysql.yaml

@@ -0,0 +1,58 @@
+rules:
+- id: gcp-sql-database-ssl-insecure-value-postgres-mysql
+  patterns:
+  - pattern-inside: |
+      resource "google_sql_database_instance" "..." {
+          ...
+          database_version = "$DB"
+          ...
+      }
+  - pattern-inside: |
+      resource "google_sql_database_instance" "..." {
+          ...
+          ip_configuration {
+              ...
+              ssl_mode = $VALUE
+              ...
+          }
+          ...
+      }
+  - pattern-not-inside: |
+      resource "google_sql_database_instance" "..." {
+          ...
+          ip_configuration {
+              ...
+              ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
+              ...
+          }
+          ...
+      }
+  - metavariable-regex:
+      metavariable: $DB
+      regex:  .*(MYSQL|POSTGRES).*
+  - focus-metavariable: $VALUE
+  fix: |
+    "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
+  message: >-
+    Ensure all Cloud SQL database instance require incoming connections to use SSL. To enable this for PostgresSQL and MySQL, use `ssl_mode="TRUSTED_CLIENT_CERTIFICATE_REQUIRED"`.
+  metadata:
+    owasp:
+    - A03:2017 - Sensitive Data Exposure
+    - A02:2021 - Cryptographic Failures
+    cwe:
+    - 'CWE-326: Inadequate Encryption Strength'
+    category: security
+    technology:
+    - terraform
+    - gcp
+    references:
+    - "https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration"
+    - "https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
+    subcategory:
+    - vuln
+    likelihood: LOW
+    impact: MEDIUM
+    confidence: MEDIUM
+  languages: [hcl]
+  severity: WARNING
+